“Growing mobile attacks demand better trained staff and processes” states SANS Institute expert

The SANS Institute was established in 1989 as a co-operative research and education organisation focused on cyber security issues

The SANS Institute was established in 1989 as a co-operative research and education organisation focused on cyber security issues

In the wake of the recently uncovered DarkHotel attack which used compromised Wi-Fi networks in Five-Star hotels to hack the traditional and mobile devices of visiting high-level executives, there’s still a lack of awareness around the risks posed by mobile devices. That’s the view of SANS Institute instructor Raul Siles, a highly respected security researcher and one of the few individuals worldwide to have earned the GIAC Security Expert (GSE) designation.

“Many organisations have deployed MDM systems and this is a good first step in the right direction, but it’s not an ‘install and forget’ situation as the environment is much more complicated than, say, Windows, OS X or Linux,” explained Siles.

Siles highlights three problem areas in the way organisations are managing the threat posed by mobile devices: “The first issue is that the threat is often underappreciated as many of these devices move between the private and work life of the user,” he stated. “This challenges organisations to think differently about how to enforce management and security policies on devices that are not under the full control of the host company.”

However, Siles also believes that some of the security enhancements embedded within many mobile device platforms such as built-in encryption, ‘sandboxed’ applications and remote management capabilities may lull organisations into overlooking some of the more pressing issues.

“The rapid pace of change within the mobile space is both a blessing and a security curse,” asserted Siles. “With roughly 1.5 million applications for both Android and iOS, the amount of applications with malicious or unexpected behaviours or even applications that contain basic vulnerabilities is growing. Many of the devices are lacking in features to effectively manage significant areas of risk.”

Lack of necessary skill sets

The researcher points to a lack of functionality to manage IPv6 and personal firewalls as two sample areas where mobile devices are particularly weak.

“Another problem is the lack of skill sets within organisations to properly secure mobile environments and deal with threats,” commented Siles. “The number of mobile devices in use at some organisations is starting to overtake fixed desktop PCs and laptops, yet budgets for mobile information security training have not kept pace. This is a major issue, although we are seeing some improvement and particularly so as example incidents such as DarkHotel and others come to light.”

Siles will be teaching the SANS SEC575: Mobile Device Security and Ethical Hacking course in London this July. “This is one of the courses that we update most frequently to match the pace of change in the mobile industry.”

The course is designed to help organisations secure their mobile devices, applications and services by equipping personnel with the knowledge to design, deploy, operate and assess a well-managed and safe mobile environment.

The six-day intensive hands-on instruction teaches attendees how to capture and evaluate mobile device network activity, analyse strengths and weaknesses on each mobile platform, disassemble and analyse mobile code, recognise weaknesses in common mobile applications and conduct full-scale mobile penetration tests.

“We are also seeing more people from development backgrounds attending the course which is a welcome development,” explained Siles. “If you look at many of the recent hacks, they will often stem from vulnerabilities in libraries that are commonly used across families of applications. If we can help developers and integrators build secure apps then we can certainly mitigate one of the areas of major risk.”

*The SANS SEC575: Mobile Device Security and Ethical Hacking course will run as part of the ‘SANS London in Summer’ event from 13-18 July at the Grand Connaught Rooms in London’s West End. The event includes ten courses with topics from across the SANS curriculum including Security Essentials, Incident Handling, Penetration Testing, Management and Forensics.

**For more information visit: http://www.sans.org/event/london-in-the-summer-2015/

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts